cve/published/2025/CVE-2025-22083.mbox - pub/scm/linux/security/vulns - Git at Google

 From bippy-1.2.0 Mon Sep 17 00:00:00 2001
 From: Greg Kroah-Hartman <gregkh@kernel.org>
 To: <linux-cve-announce@vger.kernel.org>
 Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
 Subject: CVE-2025-22083: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint

 Description
 ===========

 In the Linux kernel, the following vulnerability has been resolved:

 vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint

 If vhost_scsi_set_endpoint is called multiple times without a
 vhost_scsi_clear_endpoint between them, we can hit multiple bugs
 found by Haoran Zhang:

 1. Use-after-free when no tpgs are found:

 This fixes a use after free that occurs when vhost_scsi_set_endpoint is
 called more than once and calls after the first call do not find any
 tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds
 tpgs to add to the vs_tpg array match=true, so we will do:

 vhost_vq_set_backend(vq, vs_tpg);
 ...

 kfree(vs->vs_tpg);
 vs->vs_tpg = vs_tpg;

 If vhost_scsi_set_endpoint is called again and no tpgs are found
 match=false so we skip the vhost_vq_set_backend call leaving the
 pointer to the vs_tpg we then free via:

 kfree(vs->vs_tpg);
 vs->vs_tpg = vs_tpg;

 If a scsi request is then sent we do:

 vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend

 which sees the vs_tpg we just did a kfree on.

 2. Tpg dir removal hang:

 This patch fixes an issue where we cannot remove a LIO/target layer
 tpg (and structs above it like the target) dir due to the refcount
 dropping to -1.

 The problem is that if vhost_scsi_set_endpoint detects a tpg is already
 in the vs->vs_tpg array or if the tpg has been removed so
 target_depend_item fails, the undepend goto handler will do
 target_undepend_item on all tpgs in the vs_tpg array dropping their
 refcount to 0. At this time vs_tpg contains both the tpgs we have added
 in the current vhost_scsi_set_endpoint call as well as tpgs we added in
 previous calls which are also in vs->vs_tpg.

 Later, when vhost_scsi_clear_endpoint runs it will do
 target_undepend_item on all the tpgs in the vs->vs_tpg which will drop
 their refcount to -1. Userspace will then not be able to remove the tpg
 and will hang when it tries to do rmdir on the tpg dir.

 3. Tpg leak:

 This fixes a bug where we can leak tpgs and cause them to be
 un-removable because the target name is overwritten when
 vhost_scsi_set_endpoint is called multiple times but with different
 target names.

 The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup
 a vhost-scsi device to target/tpg mapping, then calls
 VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we
 haven't seen before (target1 has tpg1 but target2 has tpg2). When this
 happens we don't teardown the old target tpg mapping and just overwrite
 the target name and the vs->vs_tpg array. Later when we do
 vhost_scsi_clear_endpoint, we are passed in either target1 or target2's
 name and we will only match that target's tpgs when we loop over the
 vs->vs_tpg. We will then return from the function without doing
 target_undepend_item on the tpgs.

 Because of all these bugs, it looks like being able to call
 vhost_scsi_set_endpoint multiple times was never supported. The major
 user, QEMU, already has checks to prevent this use case. So to fix the
 issues, this patch prevents vhost_scsi_set_endpoint from being called
 if it's already successfully added tpgs. To add, remove or change the
 tpg config or target name, you must do a vhost_scsi_clear_endpoint
 first.

 The Linux kernel CVE team has assigned CVE-2025-22083 to this issue.


 Affected and fixed versions
 ===========================

 	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.6.87 with commit 2b34bdc42df047794542f3e220fe989124e4499a
 	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.12.23 with commit 3a19eb3d9818e28f14c818a18dc913344a52ca92
 	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.13.11 with commit 3fd054baf382a426bbf5135ede0fc5673db74d3e
 	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.14.2 with commit 63b449f73ab0dcc0ba11ceaa4c5c70bc86ccf03c
 	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.15 with commit 5dd639a1646ef5fe8f4bf270fad47c5c3755b9b6

 Please see https://www.kernel.org for a full list of currently supported
 kernel versions by the kernel community.

 Unaffected versions might change over time as fixes are backported to
 older supported kernel versions.  The official CVE entry at
 	https://cve.org/CVERecord/?id=CVE-2025-22083
 will be updated if fixes are backported, please check that for the most
 up to date information about this issue.


 Affected files
 ==============

 The file(s) affected by this issue are:
 	drivers/vhost/scsi.c


 Mitigation
 ==========

 The Linux kernel CVE team recommends that you update to the latest
 stable kernel version for this, and many other bugfixes.  Individual
 changes are never tested alone, but rather are part of a larger kernel
 release.  Cherry-picking individual commits is not recommended or
 supported by the Linux kernel community at all.  If however, updating to
 the latest release is impossible, the individual changes to resolve this
 issue can be found at these commits:
 	https://git.kernel.org/stable/c/2b34bdc42df047794542f3e220fe989124e4499a
 	https://git.kernel.org/stable/c/3a19eb3d9818e28f14c818a18dc913344a52ca92
 	https://git.kernel.org/stable/c/3fd054baf382a426bbf5135ede0fc5673db74d3e
 	https://git.kernel.org/stable/c/63b449f73ab0dcc0ba11ceaa4c5c70bc86ccf03c
 	https://git.kernel.org/stable/c/5dd639a1646ef5fe8f4bf270fad47c5c3755b9b6
	From bippy-1.2.0 Mon Sep 17 00:00:00 2001
	From: Greg Kroah-Hartman <gregkh@kernel.org>
	To: <linux-cve-announce@vger.kernel.org>
	Reply-to: <cve@kernel.org>, <linux-kernel@vger.kernel.org>
	Subject: CVE-2025-22083: vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint

	Description
	===========

	In the Linux kernel, the following vulnerability has been resolved:

	vhost-scsi: Fix handling of multiple calls to vhost_scsi_set_endpoint

	If vhost_scsi_set_endpoint is called multiple times without a
	vhost_scsi_clear_endpoint between them, we can hit multiple bugs
	found by Haoran Zhang:

	1. Use-after-free when no tpgs are found:

	This fixes a use after free that occurs when vhost_scsi_set_endpoint is
	called more than once and calls after the first call do not find any
	tpgs to add to the vs_tpg. When vhost_scsi_set_endpoint first finds
	tpgs to add to the vs_tpg array match=true, so we will do:

	vhost_vq_set_backend(vq, vs_tpg);
	...

	kfree(vs->vs_tpg);
	vs->vs_tpg = vs_tpg;

	If vhost_scsi_set_endpoint is called again and no tpgs are found
	match=false so we skip the vhost_vq_set_backend call leaving the
	pointer to the vs_tpg we then free via:

	kfree(vs->vs_tpg);
	vs->vs_tpg = vs_tpg;

	If a scsi request is then sent we do:

	vhost_scsi_handle_vq -> vhost_scsi_get_req -> vhost_vq_get_backend

	which sees the vs_tpg we just did a kfree on.

	2. Tpg dir removal hang:

	This patch fixes an issue where we cannot remove a LIO/target layer
	tpg (and structs above it like the target) dir due to the refcount
	dropping to -1.

	The problem is that if vhost_scsi_set_endpoint detects a tpg is already
	in the vs->vs_tpg array or if the tpg has been removed so
	target_depend_item fails, the undepend goto handler will do
	target_undepend_item on all tpgs in the vs_tpg array dropping their
	refcount to 0. At this time vs_tpg contains both the tpgs we have added
	in the current vhost_scsi_set_endpoint call as well as tpgs we added in
	previous calls which are also in vs->vs_tpg.

	Later, when vhost_scsi_clear_endpoint runs it will do
	target_undepend_item on all the tpgs in the vs->vs_tpg which will drop
	their refcount to -1. Userspace will then not be able to remove the tpg
	and will hang when it tries to do rmdir on the tpg dir.

	3. Tpg leak:

	This fixes a bug where we can leak tpgs and cause them to be
	un-removable because the target name is overwritten when
	vhost_scsi_set_endpoint is called multiple times but with different
	target names.

	The bug occurs if a user has called VHOST_SCSI_SET_ENDPOINT and setup
	a vhost-scsi device to target/tpg mapping, then calls
	VHOST_SCSI_SET_ENDPOINT again with a new target name that has tpgs we
	haven't seen before (target1 has tpg1 but target2 has tpg2). When this
	happens we don't teardown the old target tpg mapping and just overwrite
	the target name and the vs->vs_tpg array. Later when we do
	vhost_scsi_clear_endpoint, we are passed in either target1 or target2's
	name and we will only match that target's tpgs when we loop over the
	vs->vs_tpg. We will then return from the function without doing
	target_undepend_item on the tpgs.

	Because of all these bugs, it looks like being able to call
	vhost_scsi_set_endpoint multiple times was never supported. The major
	user, QEMU, already has checks to prevent this use case. So to fix the
	issues, this patch prevents vhost_scsi_set_endpoint from being called
	if it's already successfully added tpgs. To add, remove or change the
	tpg config or target name, you must do a vhost_scsi_clear_endpoint
	first.

	The Linux kernel CVE team has assigned CVE-2025-22083 to this issue.


	Affected and fixed versions
	===========================

	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.6.87 with commit 2b34bdc42df047794542f3e220fe989124e4499a
	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.12.23 with commit 3a19eb3d9818e28f14c818a18dc913344a52ca92
	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.13.11 with commit 3fd054baf382a426bbf5135ede0fc5673db74d3e
	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.14.2 with commit 63b449f73ab0dcc0ba11ceaa4c5c70bc86ccf03c
	Issue introduced in 3.9 with commit 4f7f46d32c9875004fae1d57ae3c02cc2e6cd6a3 and fixed in 6.15 with commit 5dd639a1646ef5fe8f4bf270fad47c5c3755b9b6

	Please see https://www.kernel.org for a full list of currently supported
	kernel versions by the kernel community.

	Unaffected versions might change over time as fixes are backported to
	older supported kernel versions. The official CVE entry at
	https://cve.org/CVERecord/?id=CVE-2025-22083
	will be updated if fixes are backported, please check that for the most
	up to date information about this issue.


	Affected files
	==============

	The file(s) affected by this issue are:
	drivers/vhost/scsi.c


	Mitigation
	==========

	The Linux kernel CVE team recommends that you update to the latest
	stable kernel version for this, and many other bugfixes. Individual
	changes are never tested alone, but rather are part of a larger kernel
	release. Cherry-picking individual commits is not recommended or
	supported by the Linux kernel community at all. If however, updating to
	the latest release is impossible, the individual changes to resolve this
	issue can be found at these commits:
	https://git.kernel.org/stable/c/2b34bdc42df047794542f3e220fe989124e4499a
	https://git.kernel.org/stable/c/3a19eb3d9818e28f14c818a18dc913344a52ca92
	https://git.kernel.org/stable/c/3fd054baf382a426bbf5135ede0fc5673db74d3e
	https://git.kernel.org/stable/c/63b449f73ab0dcc0ba11ceaa4c5c70bc86ccf03c
	https://git.kernel.org/stable/c/5dd639a1646ef5fe8f4bf270fad47c5c3755b9b6